DynamoDB encryption at rest provides an additional layer of data protection by securing
your
data in the encrypted table, including its primary key, local and global secondary
indexes,
streams, global tables, backups, and DynamoDB Accelerator (DAX) clusters whenever
the data is stored in
durable media. Organizational policies, industry or government regulations, and compliance
requirements often require the use of encryption at rest to increase the data security
of your
applications.

Encryption at rest integrates with AWS KMS for managing the encryption key that is
used to
encrypt your tables.

When creating a new table, you can choose one of the following customer master keys
(CMK)
to encrypt your table:

When you access an encrypted table, DynamoDB decrypts the table data transparently.
You can switch
between the AWS owned CMK and AWS managed CMK at any given time. You don't have to
change any code or
applications to use or manage encrypted tables. DynamoDB continues to deliver the
same single-digit
millisecond latency that you have come to expect, and all DynamoDB queries work seamlessly
on your encrypted data.

To learn how to create an encrypted table or switch the encryption keys on an existing
table using
the AWS Management Console, AWS Command Line Interface (AWS CLI), or the Amazon DynamoDB
API, see
Managing Encrypted Tables.

Note

Encryption at rest is generally available but not currently supported in the following
AWS
Regions:

AWS GovCloud (US-West) (US-West)

AWS GovCloud (US) (US-East)

China (Beijing)

China (Ningxia)

Encryption at rest using the AWS owned CMK is offered at no additional cost. However,
AWS KMS
charges apply for AWS managed CMK. For more information about pricing, see Amazon DynamoDB Pricing.

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's
Help pages for instructions.